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CROSS-REFERENCE TO RELATED APPLICATIONS 
[0001] This application is related to U.S. Patent Application Nos. 10/464,417 filed June 17, 
5 2003, 10/464,815 filed June 17, 2003, 10/464,421 filed June 17, 2003, 10/464,874 filed June 
17, 2003, 10/464,875 filed June 17, 2003, and 10/464,055 filed June 17, 2003 and are 
incorporated by reference herein for all purposes. 

BACKGROUND OF THE INVENTION 

10 [0002] The present invention relates to the field of software applications generally, and 
specifically to the implementation of financial applications. The corporate accounting 
scandals surrounding WorldCom, Enron and Tyco in 2002, have spurred the passage of the 
Sarbanes-Oxley Act of 2002. The Act creates an obligation for officers of a company to 
warrant to their shareholders the accuracy of the company's accounting information, the 

15 controls in place to safeguard the assets of the company, and the validity of the financial 
statements they produce. Although these obligations have previously existed in a weaker 
form in the United States, the advent of the Sarbanes-Oxley Act has made these obligations 
much stronger. Any company that is listed on an American stock exchange has these 
obligations. 

20 [0003] The Act codifies a fi-amework for internal accounting controls specified by the 
committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO 
establishes three categories of controls: Effectiveness and Efficiency of Operations; 
Reliability of Financial Reporting; and Compliance with Laws and Regulation. COSO also 
establishes five interrelated components of effective internal control: Control Environment; 

25 Risk Assessment; Control Activities; Information and Communications; and Monitoring. In 
summary, the methodology prescribed by COSO includes identifying the opportunities for 
fi-audulent reporting, determining the risks arising from these opportunities, and then 
providing accounting controls to mitigate these risks. 

[0004] The risk fi-om insufficient segregation of duties is one risk included in these 
30 accounting controls. If certain duties are concentrated in a single person, the chemce of 
employee errors or malfeasance going undetected is greatly increased. For example, if an 
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employee can create a supplier in an accounts payable system and also authorize an invoice 
from that supplier for payment, a risk exists that the employee could create and initiate 
pajmients to a fake supplier to steal company funds. In another example, if an employee 
responsible for inventory accuracy can authorize cycle count adjustments, a risk exists that 
5 the employee can pilfer inventory undetected. 

[0005] In an enterprise, there are numerous duties or functions, referred to generally as 
incompatible functions, that should not be performed by the same employee. Previously, 
determining which pairs or groups of functions are incompatible required specialized 
knowledge of both accounting practices and specifics of the enterprise's applications. 
10 Additionally, in manually creating lists of incompatible functions, there is no way to verify 
that all possible combinations of functions have been verified. Furthermore, even for limited 
sets of incompatible functions, there is no efficient way for auditors to verify that employees 
are observing proper segregation of incompatible functions. 

[0006] It is desirable to have an audit system that enables an enterprise to efficiently 
15 determine a comprehensive set of incompatible functions. It is further desirable that the audit 
system provide verifications of proper segregation of incompatible functions, alerts when 
incompatible functions are assigned to the same employee, and further prevent employee 
access to incompatible functions. 



20 BRIEF SUMMARY OF THE INVENTION 

[0007] An embodiment of the invention is an audit system including a set of business 
processes that describe the operations of an enterprise. The audit system has a registry of 
incompatible business functions. The registry of incompatible business functions is created 
from a library of business processes. Additional business functions can be added to the 

25 registry by auditors to suit the specific needs of an enterprise. A report generator determines 
the business fiinctions available to each employee and compares these functions with the 
registry to ensure that proper segregation of duties is observed. Additionally, if a new 
business function is assigned to an employee, an alert is sent by the audit system if this 
business function is incompatible with other business functions assigned to the employee. 
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[0008] In an embodiment, the audit system comprises a set of business processes describing 
the operations of an enterprise. A subset of the set of business process is assigned to an 
employee. A process compatibiHty registry defines a set of business process 
incompatibiHties. Each business process incompatibility Usts at least two business processes 
5 that should not be assigned to the employee. An audit manager is adapted to compare the 
business process incompatibilities of the process compatibility registry with the subset of 
business processes assigned to an employee, 

[0009] In one embodiment, a report generator is adapted to create a report identifying the 
employee in response to the subset of business process matching at least one business process 
10 incompatibility. The report may further include an identification of the business process 
incompatibility matching the subset of business processes. 

[0010] In yet a further embodiment, a business process library has a plurality of business 
processes. The set of business processes is a subset of the plurality of business processes of 
the business process library. The business process library includes a plurality of business 

15 process incompatibilities corresponding to at least a portion of the plurality of business 
processes. Each business process incompatibility lists at least two business processes that 
should not be assigned to the employee. In an embodiment, the audit manager is adapted to 
receive a selection from an auditor designating a business process to be selected from the 
business process library. In response to the selection, the audit manager is adapted to add the 

20 designated business process to the set of business processes and to add a business process 
incompatibility to the process compatibility registry. 

[0011] In still another embodiment, the audit system includes a set of workflow-enabled 
applications having a set of fianctions adapted to implement the set of business processes. An 
assignment of the subset of business processes to the employee enables the employee to 
25 access a corresponding subset of functions implementing the subset of business processes. 

[0012] In still a further embodiment, a new business process is adapted to be assigned to 
the employee and added to the subset. The audit manager is adapted to create an alert in 
response to the subset of business processes matching at least one business process 
incompatibility. The alert may be communicated with an auditor. The alert may include an 
30 identification of the employee. The alert may also include an identification of the business 
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process incompatibility matching the subset of business processes. In another embodiment, 
the audit manager is adapted to prevent the assignment of a new business process in response 
to the subset of business processes matching at least one business process incompatibility. 

5 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0013] The present invention will be described with reference to the drawings, in which: 

Figure 1 is a block diagram of a system for implementing an embodiment of the invention; 

Figure 2 is a block diagram illustrating a set of applications and data objects used by an 
10 embodiment of the invention; 

Figure 3 is a block diagram illustrating an embodiment of the invention; 

Figure 4 is an example screen display of an embodiment of the invention; 

Figure 5 is a block diagram of the user interface of an embodiment of the invention; 

Figure 6 is a block diagram of a method for creating a business process according to an 
1 5 embodiment of the invention; 

Figure 7 is a block diagram of a portion of an embodiment of the invention for monitoring the 
performance of a business process; 

Figure 8 is a block diagram illustrating the association of a business process with process 
risks, controls, and control reports according to an embodiment of the invention; 

20 Figure 9 is a block diagram of a portion of an embodiment of the invention for approving a 
variation of a business process; 

Figure 10 is a block diagram of a portion of an embodiment of the invention for creating an 
impacted financial statement; 

Figure 1 1 is a block diagram illustrating a set of data objects used by an embodiment of the 
25 invention; 

Figure 12 illustrates a block diagram of a hosted audit service according to an embodiment of 
the invention; and 
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Figure 13 illustrates a registry of incompatible functions 1300 according to an embodiment of 
the invention. 



DETAILED DESCRIPTION OF THE INVENTION 
5 [0014] The present invention enables auditors to efficiently and effectively audit the 
business processes of an enterprise. An embodiment of the audit system: 1) configures and 
implements audit processes; 2) determines the set of risks associated with the business 
processes of an enterprise; 3) applies a set of controls to the business processes of an 
enterprise to mitigate the set of associated risks; 4) continuously monitors the effectiveness of 

10 a set of controls; 5) determines when business processes used by an enterprise have deviated 
fi-om a model process; 6) certifies new business processes; 7) integrates business processes 
and their associated risks and controls with financial statements; 8) creates audit procedures 
to be followed by auditors and employees to implement audit processes; and 9) verifies 
proper segregation of incompatible functions. An embodiment of the audit system includes a 

15 hosted service that provides auditors with a set of audit procedures and enables auditors to 
track compliance with these procedures for a set of standard business processes. 

[0015] Figure 1 is a block diagram of a system 100 for implementing an embodiment of the 
invention. System 100 includes user computers 105, 110, and 120. User computers 105, 
110, and 120 can be general purpose personal computers having web browser applications. 
20 Alternatively, user computers 105, 110, and 120 can be any other electronic device, such as a 
thin-client computer, Intemet-enabled mobile telephone, or personal digital assistant, capable 
of displaying and navigating web pages or other types of electronic documents. Although 
system 100 is shown with three user computers, any number of user computers can be 
supported. 

25 [0016] A web server 125 is used to process requests for web pages or other electronic 
documents firom user computers 105, 110, and 120. In an embodiment of the invention, all 
user interaction with the audit system is via web pages sent to user computers via the web 
server 125. 

[0017] Web application server 130 operates the audit system. In an embodiment, the web 
30 application server 130 is one or more general purpose computers capable of executing 
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programs or scripts in response to the user computers 105, 110 and 115. The web application 
can be implemented as one or more scripts or programs written in any programming 
language, such as Java™, C, or C++, or any scripting language, such as Perl, Python, or TCL. 

[0018] In an embodiment, the web application server 130 dynamically creates web pages 
5 for displaying the audit system and audit output data. The web pages created by the web 
application server 130 are forwarded to the user computers via web server 125. Similarly, 
web server 125 receives web page requests and audit input data from the user computers 105, 
110 and 120, and forwards the web page requests and audit input data to web application 
server 130. 

10 [0019] As the web application on web application server 130 processes audit data and user 
computer requests, audit data can be stored or retrieved from database 135. Database 135 
stores general audit data used by every user for every audit in the enterprise. Database 135 
also stores audit data associated with individual audits and/or individual users of the audit 
system. In an embodiment, the web application on the web application server 130 can 

15 retrieve any previously stored data from the model database 135 at any time. This allows 
users to modify or update audit data. 

[0020] An electronic communication network 120 enables communication between 
computers 105, 110, and 115, web server 125, web application server 130, and database 135. 
In an embodiment, network 120 may further include any form of electrical or optical 
20 communication devices, including wireless and wired networks. Network 130 may also 
incorporate one or more local-area networks, such as an Ethernet network; wide-area 
networks, such as the Internet; and virtual networks, such as a virtual private network. 

[0021] The system 100 is one example for executing an audit system according to an 
embodiment of the invention. In another embodiment, web application server 130, web 
25 server 125, and optionally model database 135 can be combined into a single server computer 
system. In alternate embodiment, all or a portion of the web application functions may be 
integrated into an application running on each of the user computers. For example, a Java™ 
or JavaScript™ application on the user computer is used to process or store audit data or 
display portions of the audit application. 
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[0022] Figure 2 is a block diagram 200 illustrating a set of applications 205 and data 
objects used by an embodiment of the invention. The set of applications 205 include a 
database 210, a web server 215, and an application server 220, similar to that discussed 
above. Additionally, the set of applications include a notification system 230, a workflow 
5 system 235, and a set of workflow-enabled applications 240. 

[0023] The notification system 230 enables communication between audit system users and 
the audit system. Communications can be in the form of electronic messages such as 
electronic mail and instant messages. The notification system 230 can be used to gather data 
and to distribute information or instructions fi-om audit system users or other individuals. 
10 Communications can include forms or questionnaires to be completed by recipients. Users 
return the completed form to the notification system 230. The notification system 230 then 
processes the completed forms to extract the data provided by users. The notification 230 can 
transfer extracted data to any of the other applications or to other audit system users. 

[0024] The workflow system 235 enables the implementation of business processes. A 
15 business process is a planned series of work activities, referred to as business fiinctions, with 
defined inputs and results. The workflow system allows business processes to be defined for 
any of the operations of a business enterprise. A business functions can define the business 
functions needed to complete an operation, the personnel responsible for performing each of 
the business functions, and the inputs and outputs of each of the business functions. Business 
20 processes can include conditional branches, so that different business functions are performed 
in response to the result of one or more previous work activities. In an embodiment, the 
workflow system 235 has a graphical user interface for visually defining a business process 
or a business function in a manner similar to drawing a flowchart. 

[0025] In an embodiment, the workflow system 235 is linked to a set of workflow-enabled 
25 applications. In this embodiment, the workflow system 235 is not only a drafting tool for 
defining business process, but also directly controls the operations of the workflow-enabled 
applications. Each business function in the business process is linked to an underlying 
function of a workflow-enabled application. Selecting a business function in a business 
process invokes the associated function of the workflow-enabled application. 

30 
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[0026] For example, a business process can define the business functions to be followed to 
pay an invoice can be linked to a workflow-enabled accounts payable application. The 
workflow-enabled accounts payable application will operate according to the business 
process defined by the workflow system. If, for example, the workflow system specifies that 
5 invoices over a threshold amount, for example $100,000, be routed to a senior manager for 
approval, while invoices under this threshold can be approved by a jimior manager, then the 
workflow-enabled accounts payable application will route all invoices received according to 
this criteria. In a further example, the notification system 230 can be used to route invoices 
and collect approvals as specified by the business process. 

10 [0027] In a further embodiment, a business function of a business process represents a 
collection of related sub-functions, each representing a different work activities, or altemately 
represent a single work activity. For example, a procurement to payment business process 
can define the work activities used by an enterprise to procure and pay for business supplies. 
Examples of business functions within the procurement to pajonent process may include a 

1 5 . procurement function to request business supplies, a receiving function to handle receipt of 
the business supplies, and a payables function to pay for the supplies following delivery. 
Each of these business functions can have numerous sub-functions. For example, the 
procurement function can have sub-functions for soliciting bids, evaluating bids from 
suppliers, and ultimately selecting a winning bid. 

20 [0028] In yet a further embodiment, business functions representing a collection of related 
sub-functions may correspond with menus of workflow-enabled applications. Employees 
assigned to a specific business function will have access to the corresponding menu in 
workflow-enabled applications and any of the collection of related sub-functions can be 
activated via the menu. Conversely, an employee will be unable to access a menu of a 

25 workflow-enabled application corresponding with a business function not assigned to the 
employee. 

[0029] The set of workflow-enabled applications can include applications adapted to a 
variety of business operations, including purchasing applications, such as Oracle Purchasing, 
general ledger applications, such as Oracle General Ledger, project management applications, 
30 such as Oracle Projects, accoxmts payable and receivable . applications, such as Oracle 
Payables and Oracle Receivables, human resources applications, such as Oracle Human 
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Resources, account generation applications, such as Oracle Account Generator, service 
applications, such as Oracle Service, engineering management applications, such as Oracle 
Engineering, inventory applications, such as Oracle Inventory, web employee applications, 
such as Oracle Web Employees, web customer applications, such as Oracle Web Customers, 
5 web supplier applications, such as Oracle Web Suppliers, and implementation applications, 
such as Oracle Implementation Wizard. 

[0030] In addition to the set of applications 205, a set of data objects are used by the audit 
system. A process library 250 is a set of business processes implemented in the workflow 
system 235 and, in an embodiment, associated with workflow-enabled applications 240. A 
10 typical process library can include over one thousand different business processes. Business 
processes can be generally applicable to all businesses, or specific to a certain type of 
business or industry. 

[0031] A set of process risks 265 are associated with the business processes of the process 
library. A process risk is an undesirable outcome of a business process. Risks can result 

15 from a variety of sources, including from employees failing to follow the steps of a business 
process, from mistakes or wrong decisions made by employees, from employee malfeasance, 
and from business effects, such as customers failing to pay bills. Risks can be classified into 
categories, such as the type of risk, the organizations affected by the risk, and the severity of 
the risk. Each business process can be associated with one or more process risks, and 

20 conversely, each process risk can be associated with one or more business processes. 

[0032] A set of process controls 255 are associated with the set of process risks 265 and the 
business processes of the process library 250. Controls are additional processes, conditions, 
and/or notifications intended to mitigate the associated risks. A control can be a manual 
control instructing an employee to verify a physical condition. A manual control can be 
25 implemented using the notification system. For example, control may require that a signature 
file or other valuable item be secured in a safe. In this example, the notification system will 
send a verification request to a trusted employee. The trusted employee will check to ensure 
the item is secured, and then respond to the verification request. The notification system will 
record the employee's verification for future reference. 
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[0033] A control can also be another business process implemented by one or more 
workflow-enabled applications. For example, an invoice control can be a two-, three-, or 
four-way matching of a received invoice with a purchase order, an inventory record for the 
associated item, and/or an acknowledgement of the acceptance of the item. These matching 
5 operations can be defined as a business process in the workflow system and executed by the 
functions of underlying work-flow enabled applications. 

[0034] A set of process procedures 260 is associated with the other data objects. The 
process procedures provide documentation for performing the business processes of the 
process library 250, A typical set of procedures can include hundreds of different procedures 

10 for performing all or portions of the different types of business processes. The process 
procedures provide documentation to employees assigned to perform all or a portion of a 
business process on the appropriate way to perform their assigned tasks. In an embodiment, a 
procedure can be associated with more than one type of business process. Additionally, the 
set of process procedures 260 include audit procedures for auditing the business processes. 

15 The audit procedures are associated with one or more business processes of the process 
library 250. The audit procedures provide auditors with documentation for auditing the 
associated business process. Auditors assigned to a specific business process can retrieve the 
appropriate audit procedures from the set of process procedures 260. 

[0035] Figure 3 is a block diagram 300 illustrating an embodiment of the invention. A set 
20 of data objects and core applications, such as that discussed in Figure 2, is interfaced with an 
audit manager 305. 

[0036] The audit manager 305 provides a central interface to all audit related tasks in an 
enterprise. The audit manager 305 enables auditor to develop^ a picture of the processes of 
the company, similar to the library needed for ISO 9000 compliance audit. The audit manager 
25 305 allows processes to be viewed and decomposed into many levels. 

[0037] Additionally, as part of the intemal audit function is maintaining the relationsliip 
between a business process and the financial accounts that it impacts. For example, the Order 
to Cash process affects the Revenue, Deferred Revenue, Cost of Goods Sold, Finished Goods 
Inventory, and Accounts Receivable Control accounts. The audit manager 305 enables an 
30 auditor to efficiently view a business process and its associated financial accounts. 
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[0038] The audit manager 305 enables auditor to associate risks for each process and the 
controls that mitigate each risk. The audit manager 305 can associate controls in the form of 
additional workflows or business processes to manage a risk. For example a control can 
enable processes such as profit screening or notification of a low margin order to finance 
5 ratio. As discussed below, controls can be continuously monitored for variances in Key 
Performance Indicators (KPI) recorded in a Performance Management Framework (PMF). 
Each KPI can have associated control limits or tolerances. If a process exceeds any of its 
KPI, an audit function or process can be automatically initiated by the audit manager 305. 

[0039] An additional type of control risk arises from insufficient segregation of duties. If 
10 too many workflow activities are concentrated in a single person, the chance of employee 
errors or malfeasance going undetected is greatly increased. The audit manager 305 enables 
auditors to confirm that there are no employees that have access to pairs or groups of 
functions that are inconsistent with good intemal controls. An example of functions that 
should be segregated are authorizing new suppliers and authorizing checks. As business 
15 processes are created, segregated functions £ire identified. The audit manager accesses the 
organizational structure of the enterprise to ensiire that segregated function are not performed 
by the saihe person. 

[0040] The audit manager 305 also includes project templates defining standard audit 
procedures for each business process. In an embodiment, the project templates for audit 

20 procedures are defined in a workflow-enabled project management application linked with 
the business process in the workflow system. In this embodiment, the project templates for 
auditing a business process are workflows defined by the workflow system. An audit project 
template can include standard audit procedures, document templates, and standard 
deliverables needed for an audit of an associated business process. The audit manager 305 is 

25 interfaced with a workflow-enabled project management application to enable collaboration 
between auditors by providing plaiming functions, task assignment functions, progress 
tracking functions, communication functions, and document management functions. Task 
assignment functions enable the project management application to locate available people 
with the skill set to match assignments. Progress tracking functions enable the project 

30 management function to monitor progress against milestones. 
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[0041] When initiating an audit of a business process, the audit manager 305 uses the 
project management application to create an audit project from the appropriate audit project 
template. Audit project can be initiated as a scheduled activity or as the result of an trigger 
event, such as a large accounts receivable write off As discussed elsewhere, the performance 
5 management framework enables auditors to continuously monitor Key Performance 
Indicators (KPI) to determine if a trigger criteria has fallen out of tolerance. 

[0042] The audit manager 305 executes the audit project using the functions of the 
underlying project management application. The audit manager uses the project management 
application to record audit issues warranting further investigation, to record follow ups to 

10' audit issues, and to resolving an audit opinion differences, which exist when two auditors 
have differing opinions on whether a process is in control or not. In an embodiment, a 
threaded discussion capability, included as part of the notification system, is used to resolve 
audit opinion differences. The audit manager 305 can store and manage supporting 
documentation in a document management system. The supporting documentation may be 

15 references to transactions or electronic documents, including documents developed in other 
tools such as spreadsheets, review notes, scanned documents, and other portable document 
formats. 

[0043] The audit manager 305 also employs specialized computer-aided audit tools. 
Examples of these tools include risk assessment tools such as Ratio Calculators, Anomaly 
20 Detectors, Sampling Methods, Process Controls Reports, and Fraud Detectors. A fraud 
detector is a tool used to detect suspicious transactions, such as identifying people who 
submitted more than one expense report for a given week or expense reports with more than 
$100 of expenses without receipts. 

[0044] The audit manager 305 further includes audit functions linked to standard financial 
25 reports, such as Subledger to General Ledger Integrity or Profit Reconciliation. Audit 
functions can also be linked to comphance reports, which guide the auditor through checking 
compliance with regulations like SOP 97-2, or checking contingent liabilities from a supply 
contract. Audit functions can also be linked to IT reports. For example, an IT report can 
identify users authorized to create payables invoices. 
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[0045] An embodiment of the audit manager 305 is tightly integrated with the workflow 
system and the workflow-enabled appUcations. As a project status is changed or task is 
changed a workflow is initiated and reviewers and approvers of the project are notified by the 
notification system, for example by e-mail. The audit project status can be linked to the final 
5 audit opinion, so that the notification system automatically notifies the appropriate people of 
the audit finding. 

[0046] An embodiment of the audit manager 305 also integrates with a mapping between 
the organization units in an enterprise and the business processes that they perform. As each 
organization may be running a slight variation of a standard business process, the audit 

10 manager includes a process change monitor and process certification manager, discussed 
below, to identify process variations and to ensure that each organizations' business processes 
are approved. Additionally, the audit manager 305 can associate an audit schedule with an 
organization based upon the mapping of business processes to the organization. For example, 
an Accounts Receivable process might require auditing every 6 months. Based upon the 

15 mapping between organizational units and business processes, the audit manager identifies 
organizational units that employ the Accounts Receivable process and automatically schedule 
audit projects for these organizational units. 

[0047] As discussed above, the Sarbanes-Oxley Act requires corporations to conduct 
surveys of management and to enable anonymous reporting of potential problems. An 

20 embodiment of the audit manager 305 includes a survey facility to survey management on 
their opinion of the adequacy of intemal controls and to enable anonymous "whistleblower" 
reporting. The survey facility employs the notification system. Survey users can route their 
responses to one or more specific organizational levels, to ensure that an issue receives 
appropriate attention. Like audit issues, the notification system can track follow-up responses 

25 to a survey issue in a threaded message format, and survey respondents can anonymously 
view follow-ups to their issues and can anonymously add their own follow-up responses. 

[0048] The audit manager 305 includes a number of supporting modules for performing 
audit-related tasks. These modules work in conjunction with the audit manager 305 and 
include an audit control performance monitor 315, a process change monitor 320, a hosted 
30 audit service 325, a process certification manager 330, and an impacted financial statements 
manager 335. The operation of these modules will be discussed in detail below. 
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[0049] Figure 4 is an example screen display 400 of an embodiment of the audit manager. 
In an embodiment of the invention, screen display 400 is presented to a user via a web 
browser. Screen display 400 includes tabs 400, 410, 415, 420, and 425 for navigating 
between sets of audit functions and audit information. By selecting a different one of the 
5 tabs, the user is presented with a different set of audit functions and audit information. 

[0050] Home tab 405 corresponds to a default, or home, display where relevant daily 
information is presented to users. In Figure 4, the screen display 400 corresponds to an 
example home page, and the Home tab 405 is shaded to indicate to the user that the home 
page is the current display. 

10 [0051] The home page includes a notifications section 430 displaying a subset of the audit 
issues and audit tasks to be performed by the user. The home page is personalized for each 
user, so that each user is presented with relevant audit issues and tasks. The notifications 
section 430 can include alerts to any outstanding follow up actions that have not been 
implemented, to any processes that have fallen outside of acceptable performance limits, and 

15 to any organization units that are due an audit according to the audit schedule of the 
organization. 

[0052] The Business Processes tab 410 enables auditors to document the business 
processes and relevant surrounding information to be audited. The Audit Tab 415 enables 
auditors to define standard audit workflows for the audit of specified Business Processes, 
20 Audit Approaches and Lines of Business. The Management Tab 420 enables the manager of 
the audit department to plan the resources and skills needed for audit projects. The Set Up 
Tab 425 enables the manager of the audit department to set the audit schedule for the 
Business Processes and to assign the business processes to organization units. Tabs 410, 
415, 420, and 425 are discussed in more detail below. 

25 [0053] A search function 435 enables audit managers to search for audit relevant 
information using the search box. Auditors can search for information by business process, 
auditor, a standard workflow, an audit project, a procedure in the standard procedures 
manual, or a predefined risk. 

[0054] The home page also presents frequently performed tasks and functions in the Quick 
30 Links section 440. In display 400, the Quick Links section includes task such as initiating a 

14 

Oracle Reference No,: OID-2003-078-01 



PATENT 

ORACLE CONFIDENTIAL 
Attorney Docket No.: 021756-002400US 

survey of management's assessment of the effectiveness of internal controls, initiating a new 
audit project, requesting follow up on a particular audit issue, and recording a new audit 
issue. 

[0055] Figure 5 is a block diagram 500 of the user interface of an embodiment of the 
5 invention. Block diagram 500 illustrates the user-interface tabs discussed above and their 
associated sub-functions. Figure 5 is provided to explain the functions of the invention in an 
organized fashion and altemate embodiments of the invention may arrange these functions 
differently. 

[0056] The business processes tab 504 include processes selection 506 for viewing details 
10 of one or more business processes. As discussed above, an embodiment of the invention 
employs the workflow system not only as a drafting tool for the designer of the business 
process, but also as the actual implementation of the business process. The processes 
selection 506 enables access to the database of business processes and process activities. In 
an embodiment, the business processes are displayed in the menu system. Users can navigate 
15 to different processes and invoke their underlying functions in workflow-enabled 
applications. Business processes can reference other business processes. 

[0057] Before being deployed by an enterprise, business process need to be certified. 
Certification ensures that the process complies with the standards of the enterprise. In an 
embodiment, selection 506 additionally displays the certification status of a business process. 
20 Example values of certification status include "Requested", which indicates that certification 
is requested, "Certified," which indicates that the manager or employee responsible for a 
process has certified that this process has been approved, and "Attested," which indicates that 
an auditor has verified the adequacy of the controls of a business process. 

[0058] A "Request Certification" function is provided by selection 506 to initiate 
25 certification of a business process. The certification function sends a notification to all 
process owners, who are managers responsible for all or a portion of a process, to certify the 
business processes have adequate intemal controls. Process owners of higher level 
processes can review the certification status of subsidiary processes as part of their own 
certification process. The responses of these notification are processed to determine the 
30 certification status of the business process. 
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[0059] Selection 510 displays procedures associated with business processes. As discussed 
above, a set of procedures are associated with business processes. These procedures can be 
modified to fit the needs of the enterprise. In a further embodiment, the procedures are 
integrated with a workflow-enabled training application, such as Oracle iLeaming. 
5 Employees are trained in procedures by the training application. In this embodiment, 
selection 510 allows auditors to track the progress of employees in studying the procedures. 

[0060] Selection 514 displays risks associated with business processes. The Risks selection 
514 from within the Processes tab 506 displays the risks that relate to the each business 
process in a table. In an embodiment, each risk is classified according to its probability and 

10 impact. For example, the risk of a loss making order being accepted may have a low 
probability and a high impact. Similarly, the risk of a salesperson accepting a kickback fi-om 
a distributor may have a high probability and a low impact. Users can select risks firom 
within the table and review the controls that apply to that risk. Users can create a new 
association between an existing risk and a business process, or add a new risk and associate 

1 5 the risk with one or more business processes. 

[0061] Selection 516 displays the controls used to mitigate risks associated with the 
business processes. For example, one risk associated with the order to cash cycle might be 
the risk of customer default. Controls that address this risk might include setting approval 
limits for credit granting authority, ensuring the separation of duties between sales and credit 
20 management, and setting credit holds if an account is over 45 days past due. Each of these 
controls can be associated with one or more risks, or vice-versa. 

[0062] In an embodiment, controls are of one of three general types. First, audit trigger 
events are controls that trigger audit events in response to variances in control limits or 
tolerances monitored by the performance management fi"amework. 

25 [0063] Second, workflow definition controls are additional workflow processes or sub- 
process integrated with the workflow of a business process to mitigate an associated risk. For 
example, a workflow definition control for a sales quotation process adds functions that 
perform profit screening or notification of a low margin order to finance. If a sales quotation 
business process is implemented by a workflow-enabled application, then the workflow 

30 definition controls will automatically implemented by the workflow-enabled application. 
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[0064] Third, controls can be included in profiles and system options. These controls 
change the settings or configuration of one or more workflow-enabled applications to 
implement a control. 

[0065] An embodiment of the selection 516 displays controls within a table. Users can 
5 select controls and review the risks associated with each control. Users can also select 
controls and view the associated business processes. Users can create a new association 
between an existing control and a risk, or add a new control and associate the control with 
one or more risks, 

[0066] Selection 512 displays financial items associated with business processes. A 
10 desirable result of auditing is determining the relationships between business processes and 
the key financial accounts they impacts. For example, the Order to Cash process effects the 
Revenue, Deferred Revenue, Cost of Goods Sold, Finished Goods Inventory, and Accounts 
Receivable Control accounts. Verifying the balances in an account requires an understanding 
of the processes affecting the account and the risks associated with these processes. 

15 [0067] Selection 512 enables auditors to associate business processes to one or more key 
accounts. Auditors can then view financial accounts to determine the set of business 
processes, risks, or controls associated with each account. 

[0068] In an embodiment, an impacted financial statement can be created fi*om the set of 
business processes, risks, and controls. An impacted financial statement is a financial report, 
20 such as a balance sheet, annotated with information fi*om the set of business processes, risks, 
and controls. A user can view the impacted financial statement as an electronic document. 
By selecting one or more line items on the impacted financial statement, users can view the 
risks, controls, and processes impacting the selected line. 

[0069] A fiirther embodiment of the invention can import financial data, such as account 
25 information, as XML files employing a standard XML schema for financial data. One such 
scheme is the XBRL standard taxonomy. The XML file is parsed to identify the financial 
accounts. Information fi-om each identified financial account is then matched with the 
financial information associated with the set of business processes. An impacted financial 
statement is then created by combining the account information firom the XML file with the 
30 associated business processes. 
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[0070] Selection 518 enables auditors to monitor the effectiveness of controls. The Audit 
manager utilizes the Performance Management Framework (PMF) integrated with a set of 
workflow-enabled applications to assign process objectives to a business process. The PFM 
can define process objectives as either control objectives or performance objectives. For 
5 example, the Accounts Receivable Department of a company may have performance 
objectives that are consistent with minimizing working capital requirements. An example of 
a performance objectives might be to minimize Days Sales Outstanding. The accounts 
receivable department may also have control objectives that are consistent with separation of 
credit granting authority and sales commitments. An example of a control objective might be 
10 to minimize Costs of Bad Debt. 

[0071] The PFM enables users to associate one or more key performance indicators (KPI), 
which are quantitative measurements of compliance with a control or performance objective, 
to a business process. KPI can also be associated with controls to monitor risk mitigation. 
Each KPI has a desired objective value. The PFM continuously monitors the KPI for 
15 deviations firom the desired objective value. Any deviations in KPI values outside a defined 
tolerance value triggers an audit event, 

[0072] Selection 518 allows auditors to review the control and performance objectives 
associated with a business process, and enables auditors to add additional control and 
performance objectives in the form of KPI to business process. This allows auditors to 

20 determine whether control and performance objectives are in place to allow management to 
see if its objectives are being met. By integrating the PFM with the business processes 
defined by the audit manager, the audit manager enables managers and auditors to monitor 
the enterprise's performance with regard to both process objectives and risk mitigation. 
[0073] Risks selection 520 displays similar information as selection 514, but with the 

25 information orientated to display processes associated with each risk, rather than the risks 
associated with each business process. Risk selection 520 also displays controls associated 
with each risk, similar to selection 516, but with the information orientated as controls 
associated with each risk, rather than the controls associated with each business process. 
Risks selection 520 also includes a risks search page enabling users to search for risks by 

30 name, process type, risk category, impact category, line of business, financial statement, and 
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financial item. Risk selection 520 also enables auditors to navigate a hiereirchical tree to 
locate a specific risk. Risks selection 520 further enables auditors to add or delete risks. 

[00741 Selection 522 displays the controls associated with business processes, similar to 
selection 516, but orientated to display the risk and/or business processes associated with 
5 each control. Selection 522 enables auditors to add or delete controls. Selection 522 also 
includes a control search function to search for controls by name, process type, risk category, 
impact category, line of business, financial statement, and financial item. Control selection 
522 also enables auditors to navigate a hierarchical tree to locate a specific control, 

[0075] Additionally, if the control is associated with a performance or control objective, 
10 auditors can view a list of the KPI that have been created for the organization. Similarly, if 
the control is a workflow definition controls, auditors can view business processes associated 
with the control. If the control type is a system option, auditors can view a list of profile 
options and system option for the workflow-enabled application running the process. If the 
control type is a manual control, the text of the manual control can be viewed by the auditor. 

15 [0076] Control reports selection 524 enables auditors to review the control and 
performance objectives associated with a business process, and to add additional control and 
performance objectives in the form of KPI to business process, similar to selection 518. 
However, selection 525 orientates information to display the business processes associated 
with each control or performance objective, rather than the control and performance 

20 . objectives associated with each business process. 

[0077] Audit Tab 520 enables auditors to create the audit projects, to record the activities of 
the audit project as it executes, and finally to issue the audit opinion and audit summary 
report. When a specific audit project is undertaken, either as a scheduled activity or as the 
result of an trigger event, (such as a large accounts receivable right off), the audit project is 
25 created fi-om an audit project template for the business flow being audited. For example, if 
the business flow being audited is Order to Cash, the order to cash audit project template is 
used. The tasks required to audit the process risks of the Order to Cash process are also in the 
audit project template. The reports that verify the controls are in place can be referred to 
from within the audit project template. 
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[0078] Once an audit project is initiated, auditors can locate available people with the skill 
set to match the assignment. Once underway, audit projects can be monitored for progress 
against project milestones. Under the Audit tab 526, auditors can perform functions related 
to performing and recording their work, such as record audit issues, assigning follow up 
5 actions, attaching supporting documentation, and conducting threaded discussions. 
Additional specialized reporting is provided either on request or distributed through audit 
participants to both issue the audit opinion on completion or issue the audit summary report. 

[0079] Audit tab 526 also provides auditors with specialized computer-aided audit tools 
including: Ratio Calculators, Anomaly Detectors, Sampling Tools, Legal Compliance Check 
10 Reports, Contract Contingency Check Reports, Process Control Reports, and Fraud 
Detectors. 

[0080] The audit tab 526 also provides questioimaires to confirm an enterprise's 
contingency planning for continuance of operations. These questionnaires can be distributed 
via the notification system. Additionally, the audit tab 526 enables auditor to conduct 
1 5 information technology (IT) audits using specialized questionnaires and reports supplied for 
this purpose. These IT-specific features include reports for checking database security, 
function security, network security, physical access security, applications configurations, and 
applications configuration change history. 

[0081] Management tab 532 enables managers of the audit department to create audit 
20 project templates and associate audit project templates with business processes. The audit 
templates are used as the standard workplan when auditing the associated business process. 
The management tab 532 also includes staff planning capability and skills management 
capability to help audit department managers ensure they have the right number of competent 
auditors to ensure the processes are in control. 

25 [0082] Set up tab 538 enables auditors and audit department managers to perform the 
administrative functions such as assigning the audit schedules to organizations or business 
processes, defining segregations of duties, and recording incompatible functions. Audit can 
be scheduled on an organizational basis. For example, you may choose to audit the accoimts 
receivable department every six months. 
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[0083] Segregation of duties is implemented to prevent employee malfeasance. Set up tab 
538 allows auditors to define pairings of specific functions within one or more business 
processes that must not be available to the same user, hi an embodiment of the invention 
integrated with a set of workflow-enabled application, the workflow-enabled applications 
5 automatically record the identity of the user performing each function in a business process. 
This is compared with the pairings of segregated functions defined by the auditors to ensure 
segregation of duties. 

[0084] Similarly, set up tab 538 enables auditors to record a set of prohibited functions for 
each function in a business process. For example, a user having access to a create accoimts 
10 payable invoice should not also have access to functions to create suppliers and enter 
purchase orders. Otherwise, there is a risk that the user can create fictitious suppliers and 
have the enterprise disperse funds to them. 

[0085] Figure 6 is a block diagram of a rnethod 600 for creating a business process 
according to an embodiment of the invention. At step 605, a business process is defined. A 

15 business process can be defined from scratch using a workflow system, or by selecting a 
predefined business process from the business process library. A predefined business process 
from the business process library can also be modified to create a business process tailored to 
a specific purpose within an enterprise. 

[0086] At step 610, procedure documents are associated with the business process defined 
20 in step 605. The procedure documents provide documentation for auditing the business 
process. In an embodiment, predefined procedure documents are associated with a 
predefined business process in the business process library. As business processes are 
selected from the library and configured for use in the enterprise, the associated procedure 
documents are also selected and designated for use during audits of the business process. In a 
25 further embodiment, a predefined procedure document can be modified to create a procedure 
tailored to a specific need within the enterprise. 

[0087] At step 615, process risks are associated with the business process. Process risks 
can be selected from a predefined set of risks associated with a business process in the 
business process library. In an embodiment, process risks can be automatically associated 
30 with a business process based upon the organization using the business process. In a further 
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embodiment, auditors can associate additional risks, either predefined or newly created, with 
the business process. 

[0088] At step 620, key accounts are associated with the business process. Key accounts 
are financial accounts impacted by the business process and its associated risks. In an 
5 embodiment, the association of key accounts with a business process is used to create 
impacted financial statements, discussed elsewhere in this application. 

[0089] Step 625 determines the risk controls associated with the business process. In an 
embodiment, the set of risks associated with the business process in step 615 determines a 
corresponding set of risk controls in step 625. In this embodiment, a set of predefined risks is 
10 associated with a corresponding set of predefined controls intended to mitigate these risks. In 
step 625, an auditor can review the controls associated with the business process. An auditor 
can add, remove, or modify the controls as he or she sees fit to tailor the controls to the needs 
of the enterprise. 

[0090] Similarly, step 630 determines the risk control reports associated with the risk 
15 controls. Control reports, as discussed above, enable auditors to review the control and 
performance objectives associated with a business process, and to add additional control and 
performance objectives in the form of KPI to business process. In step 630, auditors can 
review the control reports associated with the business process, and can add, remove, or 
modify the control reports as he or she sees fit to tailor the control reports to the needs and 
20 process objectives of the enterprise. 

[0091] Figure 7 is a block diagram 700 of a portion of an embodiment of the invention for 
monitoring the performance of a business process. A business process 705 is associated with 
a key performance indicator 710. The key performance indicator determines a quantitative 
value representing the performance of the business process. For example, a key performance 
25 indicator 710 can be the average time to ship a product, the amount of accounts receivable 
pass due, or any other attribute derived fi-om a business process. . 

[0092] The value of the key performance indicator is compared with a KPI target value 
715. A result of this comparison is used to create a performance report 720 describing the 
business process's 705 performance in comparison to its objectives. The KPI target value 715 
30 can be derived fi-om a performance objective defined by the organizational unit 725 
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implementing the business process, or alternatively as discussed above, set by an auditor 
from the audit manager. 

[0093] In an embodiment, the key performance indicator 710 is determined by a 
performance management framework application. The value of the key performance 
5 indicator 710 is determined as frequently as needed. Embodiments of the invention 
determine the key performance indicator's 710 value on a continuous basis, while altemate 
embodiments determine this value at other time intervals, such as daily, weekly, monthly, 
quarterly, and/or yearly. 

[0094] Figure 8 is a block diagram 800 illustrating the association of a business process 
10 with process risks, controls, and control reports according to an embodiment of the invention. 
Business process 805 is associated with key performance indicators 835, KPI target values 
840, and an organizational unit 845 in a manner similar to that described above with regard to 
Figure 7. Business process 805 is additionally directly associated with organizational unit 
845, so that auditors can view all of the business processes associated with an organizational 
15 units, or all of the organizational units associated with a business process. 

[0095] Business process 805 is associated with process risks 810. The process risks 810 
are associated with process risk controls 815 used to mitigate the process risks 810. Process 
risk controls 815 are associated with the KPI target value 840 to enable comparison of a 
process risk control's KPI values with their corresponding KPI target values 840. 

20 [0096] Process risk controls 815 are fiirther associated with system options 820 and profile 
options 825. As discussed above, one type of process risk controls can be implemented using 
the profiles and configurations of one or more workflow-enabled applications. The system 
options 820 and profile options 825 are associated with the process control change log 830, 
which records the change in the process risk controls 815 over time. 

25 [0097] Process risk controls 815 are also associated with the process risk control report 
850. The process risk control report 850 creates summaries and reports of the process risk 
controls, enabling auditors and managers to monitor the performance of process risk controls. 
The process risk control report 850 employs a sample report 855 as a template for creating 
reports. The process risk control report 850 can create performance reports 860 summarizing 

30 the performance of a process risk control relative to a KPI Target value 840. Additionally, 
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the process risk control report 850, in conjunction with the process control change log 830, 
can create a change report 865 summarizing the changes to the process risk controls 815 over 
time. 

[0098] A great deal of the time and effort in an audit is spent verifying the business 
5 processes that an enterprise is using. Enterprises often have a global or standard business 
process. For example, there may be a standard business process for running an Order Desk. 
Auditors can authorize the standard process as the standard way of running Order Desk 
operations for all companies in the enterprise. However, a given company or organization 
unit within the enterprise may be running a derivative or variation of the standard process. 
10 Deviations from the approved standard process may be justified in terms of local legal 
framework or customs. For example, some countries mandate the number of digits in a 
joumal numbering scheme. 

[0099] When the derivative process is audited, the auditors must determine whether the 
derivative process introduces any additional risks. Any additional risks must be evaluated by 
15 auditors and/managers. If the risks of the derivative process are acceptable, then the 
derivative process is approved. Depending on the nature of the risks introduced by a 
derivative process, approval may be required from one or more auditors or managers. 

[0100] The audit manager enables enterprises to formalize the approval of business 
processes and their derivatives. The workflow system acts as a repository of all of the 

20 business processes of the enterprise. In an embodiment employing workflow-enabled 
applications to implement the business processes, derivative processes are automatically 
added to the workflow system as organizational units change their operations. In an alternate 
embodiment, organizational units provide the workflow system with descriptions of their 
business processes manually. The workflow system associates derivative business processes 

25 with their implementing organizational units. 

[0101] The audit manager compares the business processes of an organizational unit with 
the standard global business process already approved by the enterprise to identify deviations 
from the standard business process. Auditors can view each deviation and its approval status 
(e.g. approved, unapproved, or approval in progress), issue approval requests to the 
30 appropriate auditors and managers through the notification system, and monitor any follow 
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up discussions or actions undertaken in either approving the derivative process or bringing 
the derivative process back in Hne with the approved global process. Once a derivative 
process has been approved, it is added to the repository of approved business processes and 
will be available to auditor in future audit cycles. Additionally, the approvals, justifications, 
5 and discussions related to process deviations are also included as a record of the approval of 
the derivative process. 

[0102] Figure 9 is a block diagram 900 of a portion of an embodiment of the invention for 
approving a variation of a business process. The de facto business process 905 is compared 
with the organizational business process 915. The organizational business process 915 
10 inherits the global approved business process and any changes associated with the 
organizational unit's business processes from the organizational unit 920. Any deviations 
from the approved business process are identified and subject to an approval process. As 
deviations are accepted as business process exceptions 910. Additionally, users can request 
approval for changes to the standard business process. 

15 [0103] In response to the initiation of an approval process, either arising from a user 
request or from the identification of a deviation in the de facto business process, the business 
process change monitor notifies one or more responsible users associated with the business 
process. The notification identifies the deviation (or requested deviation). Responsible users 
can include managers, auditors, and attomeys, who are responsible for determining whether 

20 the deviation is acceptable from business, financial, and legal perspectives. Each notified 
user can approve or disapprove of the deviation. The approval decision and any comments 
from each notified user are shared with the other users. Notified users can discuss the 
deviation using the notification system, such as the threaded discussion capability, until a 
consensus is reached. Based on the decision, the deviation can be approved and 

25 implemented, or disapproved and removed. The record of the approval process is preserved 
to document the changes to the business process. 

[0104] Figure 10 is a block diagram 1000 of the association of a business process with a 
financial account for creating an impacted financial statement and auditing sample 
transactions in an embodiment of the invention A business process 1005 is associated with 
30 one or more key financial accounts 1010. The financial accounts 1010 are associated with a 
set of general ledger transactions 1015 that impact the financial accounts 1010. Auditors can 
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select general ledger transaction samples 1020 for further scrutiny. In an embodiment of the 
invention, the association of the business process 1005 with key accounts 1010, general 
ledger transactions 101 5, and general ledger transaction samples 1020 enable auditors to view 
sample transactions associated with a business process. 

5 [0105] In addition to scrutinizing sample transactions, auditors can initiate testing steps to 
validate that a control is in place and is effective. A testing steps module of the audit 
manager enables auditors to define steps to validate controls. The steps can define a manual 

testing procedures, for example to test the physical security of an item, or to create one or 
more reports searching for suspicious behavior. For example, to detect risks associated with 
10 "quid pro quo" orders between an enterprise and a customer/supplier, a supplier audit report 
or a supplier/customer netting report, which identifies entities that are both customers and 
suppliers, can be created. 

[0106] Additionally, a report can be created fi-om one or more KPI monitored by the 
performance management firamework. For example, a report can summarize purchases as a 

15 percentage of sales. Another type of report can monitor the change in profile or system 
options effecting the behavior of a business process. For example, a workflow- enabled 
accounts payable application can have options for activating or deactivating an audit trail, 
setting a default country, allowing folder customization, and enabling/disabling sequential 
numbering. Frequent changes in these options can indicate suspicious activity warranting 

20 further investigation. 

[0107] Figure 1 1 illustrates a block diagram 1 100 of the association of a set of testing steps 
with a business process. The organizational unit business process 1105 is associated with a 
testing procedure 1109. The testing procedure has several different testing paths used to 
validate the business process and its controls. First, the testing procedure is associated with a 
25 set of risks addressed 1111 by the business process. These general risks are further refined 
into a set of specific process risks 1113. Each process risks can be associated with one or 
more controls 1117. 

[0108] In a second testing path, the testing procedure 1109 is associated with a set of 
controls verified 1119. The controls verified 1 1 19 are the controls validated as adequate for 
30 the business process. The controls verified 1119 are derived fi-om the set of risk controls 
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1117. Risk controls 1117 are associated with a risk 1115. Controls 1121 are associated with 
the risks 1 1 1 5 to determine the set of risk controls 1117. 

[0109] In a third testing path, the testing procedure 1 109 is associated with one or more test 
steps 1 125. Each test step is associated with one or more control reports 1 123 reporting the 
5 value of one or more KPI associated with a control 1121. 

[0110] Another aspect of the invention is a hosted audit service. Although the audit 
manager is ideally tailored for integration with a workflow system and a set of workflow- 
enabled applications, some enterprises do not have this degree of application integration. 
Other enterprises may be using incompatible workflow applications. 

10 [0111] To address the audit needs of these enterprises, a hosted audit service leverages the 
process library and associated process procedures, risks, and controls to provide an audit 
"package" tailored to the needs of the enterprise. Figure 12 illustrates a block diagram 1200 
of a hosted audit service according to an embodiment of the invention. Auditors can access 
the hosted audit service 1205 to select business processes from the process library 1215 

15 equivalent to the enterprise's business practices. Because the process library 1215 includes 
business processes based on standard business and industry practices, it is very likely some 
processes in the process library 1215 will closely resemble the enterprise's actual business 
practices. 

[0112] Based on the auditor's selection of business processes, the hosted audit service 1205 
20 creates an audit procedures manual from the set of process procedures 1220. As discussed 
above, the process procedure documents are associated with the appropriate business 
processes. The hosted audit service 1205 leverages this association to create an audit 
procedure manual tailored to the business practices of the enterprise. The enterprise's 
auditors can follow the audit procedures manual to audit the business practices of the 
25 enterprise. 

[0113] Additionally, the set of business processes 1215 is associated with sets of process 
risks 1225 and process controls 1230. The hosted audit service 1205 can create a Ust of the 
associated risks and controls for the business processes selected by the auditor. Auditors can 
use this list of risks and controls to verify that their enterprise has adequate controls and that 
30 all possible risks are addressed. 
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[0114] Unlike some of the above-discussed embodiments of the audit manager, which 
actually implement business processes and associated controls in workflow-enabled 
applications, an embodiment of the hosted audit service does not execute business processes 
or controls. However, this embodiment of the hosted audit service does provide auditors with 
5 a custom-tailored audit "package" that can be manually implemented in their enterprise. This 
provides substantial time and cost savings for auditors as compared with having to develop 
their own audit procedures intemally or with outside consultants. 

[0115] Additionally, the hosted audit 1205 provides auditors with a central interface to all 
audit related tasks. In an embodiment, the hosted audit service 1205 provides a central 

10 interface similar to audit manager 305. The hosted audit service 1205 enables auditors to 
create and manage audit projects. This embodiment of the hosted audit service 1205 provides 
auditors with planning functions, task assignment functions, progress tracking functions, 
communication functions, and document management functions, similar to those described 
for audit manager 305. The hosted audit service 1205 can be used to schedule audits 

1 5 automatically. 

[0116] The hosted audit service 1205 enables auditors to audit issues warranting further 
investigation, follow ups to audit issues, and resolutions of audit opinion differences. In a 
further embodiment, the hosted audit service 1205 includes a threaded discussion capability 
is used to resolve audit opinion differences. The notification system and its threaded 
20 discussion capabilities are also used by the hosted audit service to conduct management 
surveys and to enable anonymous "whistleblower" reporting. The hosted audit service 1205 
can store and manage supporting documentation in a document management system and 
includes specialized computer-aided audit tools, such as Ratio Calculators, Anomaly 
Detectors, Sampling Methods, Process Controls Reports, and Fraud Detectors. 

25 [0117] In a further embodiment of this aspect of the invention, the hosted audit service 
1205 is provided to auditors via a web-browser interface. Auditors access the hosted audit 
service 1205 via a web browser to select business processes appropriate to their enterprise, to 
create and download an audit procedures manual based on the selected business processes, 
and to create and download a list of risks and controls. Additionally, the hosted audit service 

30 1205 provides audits with a central interface to all audit related tasks similar to that in screen 
display 400 discussed above. 
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[0118] In a further embodiment, the audit manager includes a registry of incompatible 
business functions. Figure 13 illustrates a registry of incompatible business functions 1300 
according to an embodiment of the invention. The registry of incompatible business 
functions is created from a library of business processes or duties, such as process library 250 
5 or process library 1215. As the process library is created, a corresponding list of 

incompatible business functions is created for each business function in a business process. 
If a business function represents a set of related sub- functions, each sub-function can inherit a 
list of incompatible business functions from the parent business function, and further may 
include additional sub-functions. When a business process is selected from the library by 
10 auditors for inclusion in the enterprise, the business functions of the selected business process 
and its corresponding list of incompatible business functions are added to the registry 1300. 
In a further embodiment, auditors can add additional business functions to the registry. As an 
auditor adds a business function to an enterprise, the audit manager prompts the auditor to 
select incompatible business functions. 

15 [0119] For example, registry 1300 is a table having a list of business functions duplicated 
on both axes. The arrangement of registry 1300 is for purposes of illustration, and alternate 
embodiments of the registry can include different data stractures. In registry 1300, the 
"Create Supplier" function is incompatible with both the "Pay Invoice" and "Generate 
Invoice" function, as indicated by the "X" in the corresponding columns. Similarly, the 

20 "Conduct Inventory" and "Adjust Cycle Count" business functions are incompatible with 
each other. 

[0120] In an embodiment, a reporting function of the audit manager ensures that functions 
are segregated among employees according to the incompatibilities listed in registry 1300. 
To create a report, the audit manager compares the business functions in the registry 1300 
25 with the business functions assigned or available to each employee. Employees having 
access to two or more incompatible business functions are added to the report. The report 
may include information for identifying employees having incompatible duties, such as their 
name and organization, as well as information concerning the incompatible functions, such as 
a list of all incompatible functions assigned to each employee on the report. 

30 [0121] In another embodiment, an alert function of the audit manager provides auditors 
with a warning when incompatible duties are assigned to an employee. In this embodiment, 
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as duties are assigned to an employee, the assigned duty and any other previously assigned 
business function are compared with the business functions in registry 1300 to identify any 
potential incompatibilities. If an incompatible business function has been assigned to an 
employee, an alert can be sent to auditors and/or management. In an embodiment, the 
5 performance management framework monitors the processes added to each employee and 
compares added functions with the registry 1300. In a further embodiment, the notification 
system communicates alerts of incompatible duty assignments with auditors and/or 
management. In still another embodiment, the audit system may be further integrated with 
the workflow applications and prevent the assignment of incompatible functions to 
10 employees. 

[0122] Although the invention has been discussed with respect to specific embodiments 
thereof, these embodiments are merely illustrative, and not restrictive, of the invention. For 
example, although the invention is discussed with reference to an audit manager application 
having numerous integrated modular functions, the invention can implement each of these 
15 functions in a separate or stand-alone form. Thus, the scope of the invention is to be 
determined solely by the claims. 
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